APT19

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [1] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [2] [3] [4]

ID: G0073
Aliases: APT19, Codoso, C0d0so0, Codoso Team, Sunshop Group
Contributors: FS-ISAC; Darren Spruell

Version: 1.0

Alias Descriptions

NameDescription
APT19[1]
Codoso[4]
C0d0so0[4]
Codoso Team[3]
Sunshop Group[5]

Techniques Used

DomainIDNameUse
EnterpriseT1043Commonly Used PortAPT19 used TCP port 80 for C2.[1]
EnterpriseT1132Data EncodingAn APT19 HTTP malware variant used Base64 to encode communications to the C2 server.[4]
EnterpriseT1140Deobfuscate/Decode Files or InformationAn APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[4]
EnterpriseT1073DLL Side-LoadingAPT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[4]
EnterpriseT1189Drive-by CompromiseAPT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.[4]
EnterpriseT1031Modify Existing ServiceAn APT19 Port 22 malware variant registers itself as a service.[4]
EnterpriseT1112Modify RegistryAPT19 uses a Port 22 malware variant to modify several Registry keys.[4]
EnterpriseT1027Obfuscated Files or InformationAPT19 used Base64 to obfuscate commands and the payload.[1]
EnterpriseT1086PowerShellAPT19 used PowerShell commands to execute payloads.[1]
EnterpriseT1060Registry Run Keys / Startup FolderAn APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\.[4]
EnterpriseT1117Regsvr32APT19 used Regsvr32 to bypass application whitelisting techniques.[1]
EnterpriseT1085Rundll32APT19 configured its payload to inject into the rundll32.exe.[1]
EnterpriseT1064ScriptingAPT19 downloaded and launched code within a SCT file.[1]
EnterpriseT1193Spearphishing AttachmentAPT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.[1]
EnterpriseT1071Standard Application Layer ProtocolAPT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.[1][4]
EnterpriseT1082System Information DiscoveryAPT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.[1][4]
EnterpriseT1016System Network Configuration DiscoveryAPT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.[4]
EnterpriseT1033System Owner/User DiscoveryAPT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.[4]
EnterpriseT1204User ExecutionAPT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.[1]

Software

IDNameTechniques
S0154Cobalt StrikeAccess Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management

References